Cyber fatigue leads us to neglect the precautions we take on the internet Pamela Albin Moore
How many passwords do you have?
Do you remember them?
Do they meet the security minimums?
Do they have more than 10 characters, between uppercase, lowercase, numbers and other symbols?
When was the last time you changed them?
Have you recently checked to see if any of the accounts you protect have been compromised?
If a monumental laziness invades you with the mere mental review of these issues, your disorder has a name:
or cybersecurity fatigue.
Fatigue can overtake us in several ways.
According to classical studies, it was attributable to the overconfidence that resulted from having received multiple training on these risks: all this knowledge makes us feel invulnerable.
For Andrew Reeves, a researcher with the Human Aspects of Cybersecurity group at the University of Adelaide (Australia), complacency is a valid but insufficient answer.
On the one hand, the prevention measures of the companies are translated into a wave of training and recommendations on this matter.
“People are being trained so often that they get tired of hearing the same thing and sick of being told what to do.
So his behavior begins to worsen ”, says the expert.
On the other hand, the security systems themselves undermine the morale of the user, turning prevention tasks into an obstacle course that is added to the rest of the obligations of the working day: using a double authentication system, changing passwords, checking legitimacy of emails, connecting to VPNs ... "This can lead us to a situation where we are totally disconnected from cybersecurity," concludes Reeves.
Is it possible to avoid cyber fatigue?
No. And, given the upward trends in the incidence of cybercrime, the situation has no signs of improving, especially in work environments.
“At home, when you enter your bank account it is your responsibility.
At work, especially in larger companies, it is easy to think that it is someone else's problem ”, the researcher points out.
Tiredness, however, travels from one environment to another: the frustration of seeing our Facebook data potentially exposed by a leak adds to the hassles of managing business account security.
Furthermore, those who perpetrate these crimes know our weaknesses and take advantage of them: the most common hours for launching attacks are around the end of the afternoon and evening;
and the favorite day is Friday.
"Especially in the case of
- identity theft - because they know that people are tired and not thinking clearly."
But the inexorableness of this reluctance does not imply that we are condemned to use
and being exposed to the dark side of the internet out of simple laziness.
If you can't handle cyberfatigue ...
Reeves' recipe is to accept that this rejection is going to happen at one point or another.
Under this premise, the best way to minimize the consequences of cybersecurity is to design security systems that make life easier for those who have to use them, so that staying alert requires less effort.
"The big word here is
" emphasizes the researcher.
If those who design and implement the precautions were to put themselves in the shoes of the users, another rooster would crow.
"We have to work with fatigue, because we will not be able to counteract it completely," insists the expert.
The success of this change in perspective has already been confirmed by studies showing that password quality improves if password renewal is requested on a Tuesday morning instead of a Friday afternoon.
This effort to improve the user experience can also reduce friction in more convoluted procedures.
Reeves gives the example of a two-factor authentication system in which the design of the button where you had to click to activate the sending of the access code to another device made it practically invisible, so that users wasted time waiting for a message that had not even been forwarded.
"Usability is a safety factor," says the researcher.
Training content and how to communicate new security measures can also help limit the scope of cyber-fatigue.
Rather than listing a series of deplorable behaviors and dictating the correct ones outright, Reeves advocates an approach that explains why the changes and recognizes that even new measures could be out of date in no time.
"The problem we have is that sometimes there is an attitude of even moral superiority."
Thus the cybersecurity department recognizes its own fallibility, caused by the constant evolution and adaptation of criminal groups, improves the predisposition that those who must follow its recommendations.
"It is important to know what is causing cyberfatigue," warns the researcher.
Since each reason requires different treatment, a misdiagnosis can end up worsening the situation.
If the problem is in the excess of training, trying to solve it with more training will only make you fat.
In the same way, if the predisposition is good, but the problem is in the prevention systems, increasing the educational content will not solve anything.
Technostrress, primal fatigue
Although Reeves places the birth of the concept of cyberfatigue around 2009, the roots of this cybersecurity fatigue go much further back, until the beginning of the popularization of personal computers.
Between the late 1980s and early 1990s, workers whose working hours passed between papers suddenly found themselves sitting in front of a computer.
"This is how the term techno-stress was coined, which is basically the stress produced by the use of these technologies," summarizes the researcher.
The existence of this phenomenon delayed the beginnings of a more serious and specific consideration of fatigue specifically associated with cybersecurity.
"They saw it as one more form of techno-stress or work fatigue, but the many investigations that have been done on the subject reveal that it is somewhat separate from them."
You can follow EL PAÍS TECNOLOGÍA on